IPC Audit and Risk Committee Charter 2018-2019

The Chief Executive Officer of the Information and Privacy Commission NSW (CEO/Information Commissioner) has established the Audit and Risk Committee (Committee) in compliance with the NSW Treasury Policy Internal Audit and Risk Management Policy for the NSW Public Sector (TPP15-03).

This charter sets out the Committee's objectives, authority, composition and tenure, roles and responsibilities, reporting and administrative arrangements.

1. Objective

The objective of the Committee is to provide advice and independent assistance to the Chief Executive Officer by overseeing and monitoring IPC's governance, risk and control frameworks, and its external accountability obligations.

2. Authority

The CEO/Information Commissioner authorises the Committee, within the scope of its role and responsibilities, to:

Obtain any information it needs from any employee and/or external party (subject to their legal obligation to protect information)

Discuss any matters with the external auditor, or other external parties (subject to confidentiality considerations)

Request the attendance of any employee, including the CEO/Information Commissioner, at Committee meetings

Obtain external legal or other professional advice, as considered necessary to meet its responsibilities, at IPC's expense. The payment of costs for that advice by the agency is subject to the prior approval of the agency head.

3. Composition & Tenure

The Committee will consist of three (3) members appointed by the CEO/Information Commissioner.

The CEO/Information Commissioner will appoint the Chair and members of the Committee. The Chair is counted as one of members of the Committee.

Members will be appointed for an initial period no less than three (3) years and not exceeding five (5) years, after which they will be eligible for extension or re-appointment for a further term/s subject to a formal review of their performance (noting that the total term on the Committee will not exceed eight (8) years).

The chair must be appointed for one (1) term only for a period of at least three (3) years, with a maximum period of five (5) years. The term of appointment for the chair can be extended but any extension must not cause the total term to exceed five (5) years as a chair of the Audit and Risk Committee.

The CEO/Information Commissioner and Chief Audit Executive will not be members of the Committee, but may attend as observers as determined by the Chair.

The members should collectively develop, possess and maintain a broad range of skills and experience relevant to the operations, governance and financial management of IPC, the environment in which IPC operates and the contribution that the Committee makes to IPC.

At least one member of the Committee must have accounting or related financial management experience with an understanding of accounting and auditing standards in a public sector environment.

4. Roles and Responsibilities

The Committee has no executive powers.

The Committee is directly responsible and accountable to the CEO/Information Commissioner, for the exercise of its responsibilities.

In carrying out its responsibilities, the Committee must at all times recognise that primary responsibility for management of IPC rests with the CEO/Information Commissioner. The responsibilities of the Committee may be revised or expanded in consultation with, or as requested by, the CEO/Information Commissioner from time to time.

The Committee's responsibilities are to:

4.1 Risk Management

Review whether management has in place a current and appropriate risk management framework that is consistent with AS/NZS ISO 31000:2009

Seek assurance from management and Internal Audit as to the adequacy and effectiveness of internal controls

Review risk reports and provide advice to the agency head

Review whether a sound and effective approach has been followed in developing risk management plans for major projects or undertakings

Review the impact of the IPC's risk management on its control environment and insurance arrangements

Review IPC's fraud control plan and be satisfied that the agency has appropriate processes and systems in place to capture and effectively investigate fraud related information

Review whether a sound and effective approach has been followed in establishing the IPC's business continuity planning arrangements, including whether disaster recovery plans have been tested periodically.

4.2 Control Framework

Review whether management's approach to maintaining an effective internal control framework, including over external parties such as contractors and advisors, is sound and effective

Review whether management has in place relevant policies and procedures, and that these are periodically reviewed and updated

Determine whether the appropriate processes are in place to assess, at least once a year, whether policies and procedures are complied with

Review whether appropriate policies and procedures are in place for the management and exercise of delegations

Consider how management identifies any required changes to the design or implementation of internal controls

Review whether management has taken steps to embed a culture which is committed to ethical and lawful behaviour.

4.3 External Accountability

Assess the policies and procedures for management review and consideration of the financial position and performance of the agency including the frequency and nature of that review (including the approach taken to addressing variances and budget risks)

Review procedures around early close and year-end reporting

Review the financial statements and provide advice to the CEO/Information Commissioner (including whether appropriate action has been taken in response to audit recommendations and adjustments), and recommend their signing by the CEO/Information Commissioner

Satisfy itself that the financial statements are supported by appropriate management signoff on the statements

Review policies and procedures for collection, management and disbursement of grants and tied funding

Review the processes in place designed to ensure that financial information included in the IPC's annual report is consistent with the signed financial statements

Satisfy itself that the IPC has a performance management framework that is linked to organisational objectives and outcomes.

4.4 Compliance with Applicable Laws & Regulations

Determine whether management has appropriately considered legal and compliance risks as part of IPC's risk assessment and management arrangements

Review the effectiveness of the system for monitoring IPC's compliance with applicable laws and regulations, and associated government policies.

4.5 Internal Audit

Act as a forum for communication between the CEO/Information Commissioner, senior management and internal and external audit

Review and provide advice to the CEO/Information Commissioner on the internal audit policies and procedures

Review the risk based audit methodology

Review the internal audit coverage and annual work plan, ensure the plan is based on the IPC's risk management plan, and recommend approval of the plan by the CEO/Information Commissioner

Advise the CEO/Information Commissioner on the adequacy of internal audit resources to carry out its responsibilities, including completion of the approved internal audit plan

Oversee the coordination of audit programs conducted by internal and external audit and other review functions

Review audit findings and related recommendations that have been assessed as the most significant according to the risk the audit finding represents to the agency if the recommendation(s) related to the finding are not implemented

Provide advice to the CEO/Information Commissioner on significant issues identified in audit reports and action taken on these issues, including identification and dissemination of good practice

Monitor management's implementation of internal audit recommendations

Review the internal audit charter to ensure appropriate organisational structures, authority, access and reporting arrangements are in place

Periodically review the performance of internal audit and the chief audit executive

Provide advice to the CEO/Information Commissioner on the results of any external assessments of the internal audit function

Provide advice to the CEO/Information Commissioner on whether the Chief Audit Executive should be a dedicated role within the agency

Provide advice to the CEO/Information Commissioner on the appointment or replacement of the Chief Audit Executive and recommend to the CEO/Information Commissioner the appointment or replacement of external internal audit service providers (in the case of an outsourced internal audit function).

4.6 External Audit

Act as a forum for communication between the CEO/Information Commissioner, senior management and internal and external audit

Provide input and feedback on the financial statements and performance audit coverage proposed by external audit and provide feedback on the audit services provided

Review all external plans and reports in respect of planned or completed audits and monitor management's implementation of audit recommendations

Provide advice to the CEO/Information Commissioner on action taken on significant issues raised in relevant external audit report and better practice guides.

5. Responsibilities of members

Members of the Committee are expected to understand and observe the requirements of the Internal Audit and Risk Management Policy. Members are also expected to:

Make themselves available as required to attend and participate in meetings

Contribute the time needed to study and understand the papers provided

Apply good analytical skills, objectivity and good judgement

Abide by the relevant ethical codes that apply to employment within the NSW public sector

Express opinions frankly, ask questions that go to the fundamental core of the issue and pursue independent lines of enquiry.

6. Reporting

The Committee will regularly, but at least once a year, report to the CEO/Information Commissioner on its operation and activities during the year. The report should include:

An overall assessment of the I PC's risk, control and compliance framework, including details of any significant emerging risks or legislative changes impacting IPC

A summary of the work the Committee performed to fully discharge its responsibilities during the preceding year

Details of meetings, including the number of meetings held during the relevant period, and the number of meetings each member attended.

A summary of the IPC's progress in addressing the findings and recommendations made in internal and external reports

A summary of the Committee's assessment of the performance of internal audit

The Committee may, at any time, report to the CEO/Information Commissioner any other matter it deems of sufficient importance to do so. In addition, at any time an individual committee member may request a meeting with the CEO/Information Commissioner.

7. Reporting lines

The Committee must at all times ensures it maintains a direct reporting line to and from internal audit and act as a mechanism for internal audit to report to the CEO/Information Commissioner on functional matters.

IPCs' reporting line is prescribed:

CEO/Information Commissioner

^

Audit & Risk Committee

^

Chief Audit Executive (Internal Audit function)

8. Administrative arrangements

8.1 Meetings

The Committee will meet at least four (4) times per year. A special meeting may be held to review IPC's annual financial statements.

The Chair is required to call a meeting if requested to do so by the CEO/Information Commissioner, or another Committee member.

A meeting plan, including meeting dates and agenda items, will be agreed by the Committee each year. The meeting plan will cover all the Committee's responsibilities as detailed in this Charter.

The Committee may deal with matters out of session as appropriate. Minutes of any matters the Committee addresses out of session will be maintained by the Committee Secretariat. Matters may be separately minuted or recorded in the minutes of the next formal meeting.

8.2 Attendance at Meetings & Quorums

A quorum will consist of a majority of Committee members. A quorum must include at least two (2) independent members.

Meetings can be held in person, by telephone or by video conference.

The agency head may attend the meetings of the Audit and Risk Committee. Committee members, if necessary, are able to have in-camera discussions. The Chief Audit Executive, external audit representatives and any other agency representatives may attend Committee meetings, except where the Committee members wish to have in-camera discussions. The Committee may also request the General Manager Finance & Administrative Services or other employees attend committee meetings or participate for certain agenda items.

The Committee will meet separately with both the internal and external auditors at least once a year.

8.3 Dispute Resolution

Members of the Committee and IPC's management should maintain an effective working relationship, and seek to resolve differences by way of open negotiation. However, in the event of a disagreement between the Committee and management (including the CEO/Information Commissioner), the Chair may, as a last resort refer the matter to NSW Treasury to be dealt with independently.

8.4 Secretariat

The CEO/Information Commissioner will appoint a person to provide secretariat support to the Committee. The Secretariat will ensure the agenda and supporting papers are circulated, after approval from the Chair, at least one (1) week before the meeting, and ensure the minutes of the meetings are prepared and maintained.

Minutes must be approved by the Chair and circulated within one (1) week of the meeting to each member and committee observers, as appropriate.

8.5 Conflicts of Interest

Once a year the Committee members will provide written declarations to the CEO/Information Commissioner stating they do not have any conflicts of interest (perceived, actual or potential) that would preclude them from being members of the Committee.

Committee members must declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda item or topic. Details of any conflict of interest should be appropriately minuted.

Any external provider of internal audit services must also declare any conflicts of interest at the start of each meeting or before discussion of the relevant agenda topic. Details of any conflict of interest should be appropriately minuted.

Where members or observers at the committee meetings are deemed to have a real, or perceived, conflict of interest it may be appropriate that they are excused from committee deliberations on the issue where a conflict of interest exists.

8.6 Induction

New members will receive relevant information and briefing on their appointment to assist them to meet their committee responsibilities.

8. 7 Assessment Arrangements

The CEO/Information Commissioner, in consultation with the Chair of the Committee, will establish a mechanism to review and report on the performance of the Committee, including the performance of the Chair and each member, at least annually.

The review will be conducted on a self-assessment basis (unless otherwise determined by the CEO/Information Commissioner) with appropriate input sought from the CEO/Information Commissioner, the internal and external auditors, management and any other relevant stakeholders as determined by the CEO/Information Commissioner.

8.8 Review of Charter

At least once a year the Committee will review this Charter. This review will include consultation with the CEO/Information Commissioner.

Any substantive changes to this Charter will be recommended by the Committee and formally approved by the CEO/Information Commissioner.